--- /etc/defaults/rc.conf-new	2013-02-22 09:37:36.000000000 +0000
+++ /etc/defaults/rc.conf-new	2013-02-22 10:42:15.000000000 +0000
@@ -153,6 +153,14 @@ 
 				# firewall.
 firewall_trusted=""		# List of IPs which have full access to this
 				# host for "workstation" firewall.
+firewall_denied=""		# List of files containing IPv4 and/or IPv6
+				# addresses that have no access to this host.
+firewall_denied_rule="550"	# ipfw rule number used to host all rules
+				# denying access to this host.
+firewall_denied_services="*"	# List of TCP ports on which this host
+				# denies services for "workstation" firewall.
+				# If '*' is entered, then all services will
+				# be blocked, TCP or UDP.
 firewall_logdeny="NO"		# Set to YES to log default denied incoming
 				# packets for "workstation" firewall.
 firewall_nologports="135-139,445 1026,1027 1433,1434" # List of TCP/UDP ports
--- /etc/rc.firewall-new	2012-11-21 09:08:57.000000000 +0000
+++ /etc/rc.firewall-new	2013-02-22 10:39:02.000000000 +0000
@@ -433,6 +433,18 @@ 
 	#				 This option can seriously degrade
 	#				 the level of protection provided by
 	#				 the firewall.
+	#  firewall_denied:		List of files containing IPv4 and/or
+	#				 IPv6 addresses that have no access
+	#				 to this host.
+	#  firewall_denied_rule:	ipfw rule number used to host all
+	#				 rules denying access to hosts listed
+	#				 in the files in $firewall_denied.
+	#  firewall_denied_rule:	ipfw rule number used to host all rules
+	#				 denying access to this host.
+	#  firewall_denied_services:	List of TCP ports on which this host
+	#				 denies services for "workstation" firewall.
+	#				 If '*' is entered, then all services
+	#				 will be blocked, TCP or UDP.
 	#  firewall_logdeny:		Boolean (YES/NO) specifying if the
 	#				 default denied packets should be
 	#				 logged (in /var/log/security).
@@ -498,6 +510,36 @@ 
 	  ${fwcmd} add pass ip from $i to me
 	done
 
+	# If specified, deny hosts from reaching this machine.
+	ds=`echo ${firewall_denied_services} | sed 's/ /,/g'`
+	for i in ${firewall_denied} ; do
+		# check that file exists first.
+		if [ -f $i ]; then
+			oldIFS=$IFS
+			IFS="
+"
+			# Go over all IPs listed in the file.
+			for ip in `cat $i` ; do
+				# Block IP if first character isn't a dash.
+				i=${ip%${ip#?}}
+				if [ $i != "#" ]; then
+					# Cut string when first space is found.
+					# Practical for Postfix files and geographic
+					# CIDR's obtained from online sources.
+					ip=`echo $ip | cut -d " " -f 1`
+
+					# Add block rule for target IP.
+					if [ "*" = $ds ]; then
+						${fwcmd} add ${firewall_denied_rule} deny ip from $ip to me
+					else
+						${fwcmd} add ${firewall_denied_rule} deny tcp from $ip to me $ds in
+					fi
+				fi
+			done
+			IFS=$oldIFS
+		fi
+	done
+
 	${fwcmd} add 65000 count ip from any to any
 
 	# Drop packets to ports where we don't want logging